From Secunia: Stefan Esser has reported a vulnerability in PHP, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an input validation error within the "ZipArchive::extractTo()" function when extracting ZIP archives. This can be exploited to extract files to arbitrary locations outside the specified directory via directory traversal sequences in a specially crafted ZIP archive.
The advisory says this is fixed in php 5.2.7, which is not on the main php page but is on the mirrors. http://www.php.net/get/php-5.2.7.tar.bz2/from/a/mirror is functional.
From the actual advisory:
To exploit this an attacker just needs to
create a zip archive containing filenames like
An easy way to achieve that is to just store a file with a long
name inside the zip archive and then change it with a hex editor
Bump will happen on this Sunday most likely, and it'll either end up being in p.mask or shipping a critical patch. Vanilla 5.2.7 has broken magic_quotes_gpc which may lead to severe security issues or render user-supplied data unusable.
Upstream has dropped 5.2.7 and if we were to ship it with the magic_quotes_gpc fix it would just lead to confusion ("why does Gentoo ship it and upstream has removed it!?"), so we'll be waiting for the hopefully very soon to be released 5.2.8.
php-5.2.8 in the tree, has other security improvements as well. Will provide a list tomorrow and add arches then.
Known test failures with USE="-* cgi cli fastbuild suhosin pcre session":
Bug #30707 (Segmentation fault on exception in method) [Zend/tests/bug30707.phpt]
Bug #31177 (Memory leak) [Zend/tests/bug31177.phpt]
(In reply to comment #4)
> Will provide a list tomorrow and add arches then.
Tomorrow is over for a few days now :P, any news here?
Directory traversal vulnerability in the ZipArchive::extractTo
function in PHP 5.2.6 and earlier allows context-dependent attackers
to write arbitrary files via a ZIP file with a file whose name
contains .. (dot dot) sequences.
php-5.2.8-r1 which I've just added to the tree has the following security-relevant improvements:
* This version no longer uses the bundled libpcre, but the system version
* A more complete fix for the c-client-related vulnerabilitites (was
CVE-2008-2829; no idea whether the old fix was incomplete (I'd suspect so)
or whether the new one is just technically better)
Fixes since 5.2.7:
* mod_php avoided proper logging of HTTP-authed users to Apache logs 
* Certain XML files could crash scripts relying on certain ext/xml
functionality (DoS w/ FastCGI) 
* Certain functions in ext/mssql could crash PHP with certain DB contents
(DoS w/ FastCGI) 
* Missing bounds checking in ext/gd's imagerotate() function allowed for
exposure of memory contents (e.g. SSL private keys) w/ mod_php
* Crash in ext/openssl when using get_headers() w/ a specific target server
configuration (DoS w/ FastCGI)
Fixes since 5.2.6-r7:
* Fix for ZipArchive::extractTo() Directory Traversal (CVE-2008-5658)
... and more, I'll prepare a more exhaustive list in the next few days hopefully...
Arches, please test and mark stable:
Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
(In reply to comment #7)
> php-5.2.8-r1 which I've just added to the tree has the following
> security-relevant improvements:
> * This version no longer uses the bundled libpcre, but the system version
I was thinking about adding a check if libpcre has been built with +unicode as 5.2.8 hit me that way :P - just noticed -r1 already has it :) Thanks!
Stable for HPPA.
GLSA request filed.
PHP 5 before 5.2.7 does not properly initialize the page_uid and
page_gid global variables for use by the SAPI php_getuid function,
which allows context-dependent attackers to bypass safe_mode
restrictions via variable settings that are intended to be restricted
to root, as demonstrated by a setting of /etc for the error_log
PHP 5 before 5.2.7 does not enforce the error_log safe_mode
restrictions when safe_mode is enabled through a php_admin_flag
setting in httpd.conf, which allows context-dependent attackers to
write to arbitrary files by placing a "php_value error_log" entry in
a .htaccess file.
Heap-based buffer overflow in
ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring
extension in PHP 4.3.0 through 5.2.6 allows context-dependent
attackers to execute arbitrary code via a crafted string containing
an HTML entity, which is not properly handled during Unicode
conversion, related to the (1) mb_convert_encoding, (2)
mb_check_encoding, (3) mb_convert_variables, and (4) mb_parse_str
Sorry for the bugspam, but we need to document what we did with those bugs...
Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and
earlier, when display_errors is enabled, allows remote attackers to
inject arbitrary web script or HTML via unspecified vectors. NOTE:
because of the lack of details, it is unclear whether this is related
PHP 5.2.7 contains an incorrect change to the FILTER_UNSAFE_RAW
functionality, and unintentionally disables magic_quotes_gpc
regardless of the actual magic_quotes_gpc setting, which might make
it easier for context-dependent attackers to conduct SQL injection
attacks and unspecified other attacks.
Thank you everyone, sorry about the delay.